Overview

overview

10

Static

static

e123d54b17...ff.dll

windows7_x64

10

e123d54b17...ff.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-04-2022 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e123d54b17c5dba50509d3d0abdd61cf01d27eaf82e7d810351c550f018636ff.dll

  • Size

    881KB

  • MD5

    ef39ac4244c3fc0ee69d71563bcdb993

  • SHA1

    bb3f3706cced11a8140015d587654640cbeb99bb

  • SHA256

    e123d54b17c5dba50509d3d0abdd61cf01d27eaf82e7d810351c550f018636ff

  • SHA512

    11cc5fa8bc6f479bcbaa11332dbf6c47b5bc3d742bfaca8ec52aa929c8857db9bd2de99148006c89695c37b13601ba2e712f48f5d57deff95d36c99ed7fac33e

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e123d54b17c5dba50509d3d0abdd61cf01d27eaf82e7d810351c550f018636ff.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1936
  • C:\Windows\system32\wbengine.exe
    C:\Windows\system32\wbengine.exe
    1⤵
      PID:812
    • C:\Users\Admin\AppData\Local\xMy6TcjL\wbengine.exe
      C:\Users\Admin\AppData\Local\xMy6TcjL\wbengine.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:832
    • C:\Windows\system32\AdapterTroubleshooter.exe
      C:\Windows\system32\AdapterTroubleshooter.exe
      1⤵
        PID:1276
      • C:\Users\Admin\AppData\Local\WZ0Goifn7\AdapterTroubleshooter.exe
        C:\Users\Admin\AppData\Local\WZ0Goifn7\AdapterTroubleshooter.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:668
      • C:\Windows\system32\BdeUISrv.exe
        C:\Windows\system32\BdeUISrv.exe
        1⤵
          PID:396
        • C:\Users\Admin\AppData\Local\XAK\BdeUISrv.exe
          C:\Users\Admin\AppData\Local\XAK\BdeUISrv.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1144

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WZ0Goifn7\AdapterTroubleshooter.exe
          Filesize

          39KB

          MD5

          d4170c9ff5b2f85b0ce0246033d26919

          SHA1

          a76118e8775e16237cf00f2fb79718be0dc84db1

          SHA256

          d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

          SHA512

          9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

          Download Submit
        • C:\Users\Admin\AppData\Local\WZ0Goifn7\d3d9.dll
          Filesize

          881KB

          MD5

          e788d1ce35825a865dbdf372420e0a8c

          SHA1

          b66af6aa2346aa69a3e44547e6e4a1e3df11ee94

          SHA256

          110f7f5e799efee99a6afdac61e30e2b594b98bdca47070201a7e7d3b2cd9089

          SHA512

          a2ac3aab11106d6b0460f2959b6afb3e3a6ba42c1e783add395e0a516c3a0b56d32374ca0bedd74d2b01a57f22c0777c58964c9caeffb83f379ce280e1736fd3

          Download Submit
        • C:\Users\Admin\AppData\Local\XAK\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit
        • C:\Users\Admin\AppData\Local\XAK\WTSAPI32.dll
          Filesize

          883KB

          MD5

          bc018bed5efc7f3f9cc73f62ef69f87a

          SHA1

          c15513ae71ac9004085b11801582195b2f937d23

          SHA256

          02739fe15408449dc1d2d2e5664245c99442fed548197ec29fea66ecbb3874d9

          SHA512

          f478ed3e93a1c426bcc77c6aa1f3fcb7e6df5c633e07898d647fab58d4476099a033312d52280fcde049474631794a5196848694e26a4cdc9dffa322d7b939e9

          Download Submit
        • C:\Users\Admin\AppData\Local\xMy6TcjL\XmlLite.dll
          Filesize

          881KB

          MD5

          f6d964c825ec3c6e6182eb0e4f10a0df

          SHA1

          3ed662437cb090e79c58fc1ac7516ac89d1d1369

          SHA256

          e13dad8dc147ce074d78811367a485ff0e75ba58b1388f87b69ff52004de55e0

          SHA512

          2d50d2045a9af12db25d5cec10e2a44c8a80afbc8a5bf8d23bf2e4b2c958254eb312ebc329e877dd6f6b4e83c9732f7fecaaeeeda5df9355a86805230224c983

          Download Submit
        • C:\Users\Admin\AppData\Local\xMy6TcjL\wbengine.exe
          Filesize

          1.4MB

          MD5

          78f4e7f5c56cb9716238eb57da4b6a75

          SHA1

          98b0b9db6ec5961dbb274eff433a8bc21f7e557b

          SHA256

          46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

          SHA512

          1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

          Download Submit
        • \Users\Admin\AppData\Local\WZ0Goifn7\AdapterTroubleshooter.exe
          Filesize

          39KB

          MD5

          d4170c9ff5b2f85b0ce0246033d26919

          SHA1

          a76118e8775e16237cf00f2fb79718be0dc84db1

          SHA256

          d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

          SHA512

          9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

          Download Submit
        • \Users\Admin\AppData\Local\WZ0Goifn7\d3d9.dll
          Filesize

          881KB

          MD5

          e788d1ce35825a865dbdf372420e0a8c

          SHA1

          b66af6aa2346aa69a3e44547e6e4a1e3df11ee94

          SHA256

          110f7f5e799efee99a6afdac61e30e2b594b98bdca47070201a7e7d3b2cd9089

          SHA512

          a2ac3aab11106d6b0460f2959b6afb3e3a6ba42c1e783add395e0a516c3a0b56d32374ca0bedd74d2b01a57f22c0777c58964c9caeffb83f379ce280e1736fd3

          Download Submit
        • \Users\Admin\AppData\Local\XAK\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit
        • \Users\Admin\AppData\Local\XAK\WTSAPI32.dll
          Filesize

          883KB

          MD5

          bc018bed5efc7f3f9cc73f62ef69f87a

          SHA1

          c15513ae71ac9004085b11801582195b2f937d23

          SHA256

          02739fe15408449dc1d2d2e5664245c99442fed548197ec29fea66ecbb3874d9

          SHA512

          f478ed3e93a1c426bcc77c6aa1f3fcb7e6df5c633e07898d647fab58d4476099a033312d52280fcde049474631794a5196848694e26a4cdc9dffa322d7b939e9

          Download Submit
        • \Users\Admin\AppData\Local\xMy6TcjL\XmlLite.dll
          Filesize

          881KB

          MD5

          f6d964c825ec3c6e6182eb0e4f10a0df

          SHA1

          3ed662437cb090e79c58fc1ac7516ac89d1d1369

          SHA256

          e13dad8dc147ce074d78811367a485ff0e75ba58b1388f87b69ff52004de55e0

          SHA512

          2d50d2045a9af12db25d5cec10e2a44c8a80afbc8a5bf8d23bf2e4b2c958254eb312ebc329e877dd6f6b4e83c9732f7fecaaeeeda5df9355a86805230224c983

          Download Submit
        • \Users\Admin\AppData\Local\xMy6TcjL\wbengine.exe
          Filesize

          1.4MB

          MD5

          78f4e7f5c56cb9716238eb57da4b6a75

          SHA1

          98b0b9db6ec5961dbb274eff433a8bc21f7e557b

          SHA256

          46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

          SHA512

          1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

          Download Submit
        • \Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\80c4dgvi\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit
        • memory/668-72-0x0000000000000000-mapping.dmp
          Download
        • memory/832-67-0x0000000000000000-mapping.dmp
          Download
        • memory/1144-77-0x0000000000000000-mapping.dmp
          Download
        • memory/1260-61-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/1260-60-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/1260-59-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/1260-65-0x0000000077100000-0x0000000077102000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1260-62-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/1260-54-0x00000000029A0000-0x00000000029A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1260-57-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/1260-55-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/1260-63-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/1260-64-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/1260-56-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/1260-58-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download